Keyword(s):
Abstract:
Privacy, Security and Trust in Cloud Computing
Siani Pearson
HP Laboratories
HPL-2012-80R1
cloud computing; privacy; security; trust
Cloud computing refers to the underlying infrastructure for an emerging model of service provision that has the advantage of reducing cost by sharing computing and storage resources, combined with an on-demand provisioning mechanism relying on a pay-per-use business model. These new features have a direct impact on information technology (IT) budgeting but also affect traditional security, trust and privacy
mechan-isms. The advantages of cloud computing – its ability to scale rapidly, store data remotely, and share services in a dynamic environment – can become disadvantages in maintaining a level of assurance sufficient to sus-tain confidence in potential customers. Some core traditional mechanisms for addressing privacy (such as model contracts) are no longer flexible or dynamic enough, so new approaches need to be developed to fit this new paradigm. In this chapter we assess how security, trust and privacy issues occur in the context of cloud computing and discuss ways in which they may be addressed.
External Posting Date: June 28, 2012 [Fulltext] Approved for External Publication Internal Posting Date: June 28, 2012 [Fulltext]
To be appeared as a book chapter by Springer Copyright 2012 Springer.
Siani Pearson HP Labs, UK
Abstract Cloud computing refers to the underlying infrastructure for an
emerging model of service provision that has the advantage of reducing cost by sharing computing and storage resources, combined with an on-demand provisioning mechanism relying on a pay-per-use business model. These new features have a direct impact on information technology (IT) budgeting but also affect traditional security, trust and privacy mechan-isms. The advantages of cloud computing – its ability to scale rapidly, store data remotely, and share services in a dynamic environment – can become disadvantages in maintaining a level of assurance sufficient to sus-tain confidence in potential customers. Some core traditional mechanisms for addressing privacy (such as model contracts) are no longer flexible or dynamic enough, so new approaches need to be developed to fit this new paradigm. In this chapter we assess how security, trust and privacy issues occur in the context of cloud computing and discuss ways in which they may be addressed.
Keywords-cloud computing; privacy; security; risk; trust
1.1 Introduction
Although there is no definitive definition for cloud computing, a definition that is commonly accepted is provided by the United States National Insti-tute of Standards and Technologies (NIST):
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” [1]
This shared pool of resources is unified through virtualisation or job scheduling techniques. Virtualisation is the creation of a set of logical sources (whether it be a hardware platform, operating system, network re-source or other rere-source) usually implemented by software components that act like physical resources. In particular, software called a ‘hypervi-sor’ emulates physical computer hardware and thus allows the operating system software running on the virtual platform — a virtual machine (VM) — to be separated from the underlying hardware resources.
The resources made available through cloud computing include hardware and systems software on remote datacenters, as well as services based upon these that are accessed through the Internet; these resources can be managed to dynamically scale up to match the load, using a pay-per-resources business model. Key features advertised are elasticity, multi-tenancy, maximal resource utilization and pay-per-use. These new features provide the means to leverage large infrastructures like data centres through virtualization or job management and resource management. Cloud computing (or, more simply, ‘cloud’) provides a market opportunity with a huge potential both for efficiency and new business opportunities (especially in service composition), and is almost certain to deeply trans-form our intrans-formation technology infrastructures, models and services. Not only are there cost savings due to economies of scale on the service pro-vider side and pay-as-you-go models, but business risk is decreased be-cause there is less need to borrow money for upfront investment in infra-structure.
The adoption of cloud computing may move quite quickly depending on local requirements, business context and market specificities. We are still in the early stages but cloud technologies are becoming adopted widely in all parts of the world. The economic potential of cloud computing and its capacity to accelerate innovation are putting business and governments under increased pressure to adopt cloud computing based solutions.
Although the hype around cloud tends to encourage people to think that it is a universal panacea, this is not the case and quite often promoters ignore the inherent complexities added by the cloud. There are a number of chal-lenges to providing cloud computing services: the need to comply with lo-cal and regional regulations, obtaining the necessary approvals when data is accessed from another jurisdiction, some additional complexity in terms of governance, maintenance and liability inherent to cloud, and a perceived lack of trust in cloud services. Many Chief Information Officers (CIOs) in large enterprises identify security concerns as the top reason for not em-bracing the public cloud more aggressively, and not benefitting from asso-ciated cost optimizations [2,3]. Added to this rather common concern from technical audiences is a growing concern from data subjects, consumer ad-vocates and regulators about the potentially significant impact on personal data protection and the required compliance to local regulations [4,5]. The Patriot Act – a US federal law that can compel the legal request of cus-tomer and employee privacy information – in particular causes fears about transferring information to the US [6]. Cloud can exacerbate the strain on traditional frameworks for privacy that globalization has already started. For example, location matters from a legal point of view, but in the cloud, information might be in multiple places, might be managed by different entities and it may be difficult to know the geographic location and which specific servers or storage devices are being used. It is currently difficult to ascertain and meet compliance requirements, as existing global legislation is complex and includes export restrictions, data retention restrictions, sec-tor-specific restrictions and legislation at state and/or national levels. Le-gal advice is required, transborder data flow restrictions need to be taken into account, and care must be taken to delete data and virtual storage de-vices when appropriate. Although often there is a focus on security, in fact the most complex issue to address is privacy.
Context is an important aspect, as different information can have different privacy, security and confidentiality requirements. Privacy need be taken into account only if the cloud service handles personal information (in the sense of collecting, transferring, processing, sharing, accessing or storing it). Moreover, privacy threats differ according to the type of cloud scena-rio. There is a low privacy threat if the cloud services is to process infor-mation that is (or is very shortly to be) public. That is why the New York
Times mass conversion of scanned images to PDF in the early stages of the cloud, that was at the time often highlighted as a classic demonstration of the benefits of a cloud approach, was a good scenario for cloud computing. On the other hand, there is a high privacy threat for cloud services that are dynamically personalized, based on people’s location, preferences, calen-dar and social networks, etc. Even if the same information is involved, there may be different data protection requirements in different contexts due to factors including location and trust in the entities collecting and processing it. In addition it should be borne in mind that there may be con-fidentiality issues in the cloud even if there is no “personal data” involved: in particular, intellectual property and trade secrets may require protection that is similar to personal data and in some cases may benefit from practic-es and technologipractic-es developed specifically for ensuring appropriate per-sonal data handling within the network of cloud service providers (which in this chapter we will refer to as a ‘cloud ecosystem’).
Opportunities are being created for some service-providers to offer cloud services that have greater assurance, that employ mechanisms to reduce risk. These services might be more expensive than ones with minimal guarantees in terms of security and privacy, but in certain contexts and es-pecially where sensitive information is involved, it is what is needed to foster trust in using such services while still allowing economic savings and other benefits of cloud computing. The potential can be very good: for small and medium-sized enterprises (SMEs) in particular, greater security can actually be achieved via the use of cloud services than they have the expertise or budget to provide in-house. On the other hand, there are a number of potential pitfalls and complications, especially due to the global nature of business and the associated potential for increased data exposure and non-compliance with a matrix of different regulations, and these need to be addressed.
Overall, there is a paradigm change with cloud that can increase security concerns (especially loss of control, data integrity, data confidentiality and access by governments due to US Patriot Act and other legislation), result-ing in complexity increasresult-ing along organizational, technical and regulatory dimensions. We shall consider these aspects further in this chapter.
The structure of the chapter is as follows:
• section 1.2 gives an overview of cloud computing deployment and service models
• section 1.3 discusses the sometimes complex relationship between privacy, security and trust
• section 1.4 describes privacy issues for cloud computing • section 1.5 describes security issues for cloud computing • section 1.6 describes trust issues for cloud computing
• section 1.7 briefly discusses a number of approaches to addressing privacy, security and trust issues in cloud computing
• section 1.8 provides a summary and conclusions
1.2 Cloud Deployment and Service Models
Building on the explanation given in the previous section, cloud computing refers to the underlying infrastructure (which may be very complex) that provides services to customers via defined interfaces. There are different layers of cloud services that refer to different types of service model, each offering discrete capabilities. Apart from management and administration, the major layers are:
Infrastructure as a Service (IaaS): the delivery of computing re-sources as a service, including virtual machines and other ab-stracted hardware and operating systems. The resources may be managed through a service Application Programming Interface (API). The customer rents these resources rather than buying and installing them in its data centre, and often the resources are dy-namically scalable, paid for on a usage basis. Examples include Amazon EC2 and S3.
Platform as a Service (PaaS): the delivery of a solution stack for software development including a runtime environment and life cycle management software. This allows customers to develop new applications using APIs deployed and configurable remotely. Examples include Google App Engine, Force.com and Microsoft Azure.
Software as a Service (SaaS): the delivery of applications as a service, available on demand and paid for on a per-use basis. In simple multi-tenancy, each customer has its own resources that are segregated from those of other customers. A more efficient form is fine grained multi-tenancy, where all resources are shared, except that customer data and access capabilities are segregated within the application. Examples include online word processing and spreadsheet tools, customer relationship management (CRM) ser-vices and web content delivery serser-vices (Salesforce CRM, Google Docs, etc.)
These three are the main layers, although there can also be other forms of service provided, such as business process as a service, data as a service, security as a service, storage as a service, etc.
Infrastructure as a Service (IaaS) Platform as a Service (PaaS)
Software as a Service (SaaS)
Physical Infrastructure End Users
These layers form a kind of stack, as illustrated in Figure 1.1. For example, in IaaS, consumers can deploy and run software, with a Cloud Service Provider (CSP) controlling the underlying cloud infrastructure. In PaaS, consumers deploy (onto a cloud infrastructure run by a CSP) applications that have been created using programming languages and tools supported by that provider. In SaaS, consumers use CSPs’ applications running on a cloud infrastructure that is typically provided by another CSP. In practice, IT vendors providing cloud services often include elements from several layers.
Cloud computing has several deployment models, of which the main ones are:
Private: a cloud infrastructure operated solely for an or-ganisation, being accessible only within a private network and being managed by the organisation or a third party (potentially off-premise)
Public: a publicly accessible cloud infrastructure
Community: a cloud infrastructure shared by several organisa-tions with shared concerns
Hybrid: a composition of two or more clouds that remain separate but between which there can be data and application portability
Partner: cloud services offered by a provider to a limited and well-defined number of parties
Cloud computing services use ‘autonomic’ or self-regulating technologies which allow services to react and make decisions on their own, independ-ently of CSP operators and transparindepend-ently to customers, based on pre-set policies or rules; autonomic processes might, for example, independently scale up service provision in reaction to a customer’s usage, or transfer data processing within a virtual machine from a physical server location in the US to another in Japan, based on the comparative usage of the physical servers.
In most of these cloud computing models, multiple customers share soft-ware and infrastructure hosted remotely – a process known as multi-tenancy. Hence, one instance of software, and the physical machine it runs
on, serves clients from different companies, although security mechanisms are used to provide a protected VM environment for each user. Therefore, cloud computing can be thought of as an evolution of outsourcing, where an organisation’s business processes or infrastructures are contracted out to a different provider. A key difference is that with cloud computing it can be difficult, or even impossible, to identify exactly where the organisa-tion’s data actually is. This is partly because CSPs may have server farms in several countries, and it may not be possible for the CSP to guarantee to a customer that data will be processed in a particular server farm, or even country. Amazon Web Services (AWS) and Google have multiple data centres worldwide, details of the locations of which are often confidential.
Offshoring, a term traditionally used where business processes are relo-cated to a different country, is thus also seen as a common element of cloud service provision.
In addition, it is the case that just as their customers use cloud services to obtain variable amounts of service provision according to their needs over time (usually referred to as ‘scalability’), CSPs may themselves lease processing and storage capacity from other service providers to meet their own requirements. Thus when a customer processes data using a CSP, that data may simultaneously reside in a jurisdiction outside that of both the customer and CSP, and on a third party’s computer systems.
From a legal and regulatory compliance perspective, several of the key characteristics of cloud computing services including outsourcing, offshor-ing, virtualisation, and autonomic technologies may be problematic, for reasons ranging from software licensing, and the content of service level agreements (SLAs), to determining which jurisdiction’s laws apply to data hosted ‘in the cloud’, and the ability to comply with data privacy laws [7,8]. For example, the autonomic aspect of cloud computing can pose new risks, namely self-optimization and self-healing. Self-optimization grants a degree of autonomy in decision making, e.g. automatically adapting ser-vices to meet the changing needs of customers and service providers; this challenges enterprises’ abilities to maintain consistent security standards. Self-healing allows CSPs to provide appropriate business continuity, re-covery and back-up, but it may not be possible to determine with any spe-cificity where data processing takes place within the cloud infrastructure
[9]. Autonomic aspects of cloud computing – like many of the other as-pects mentioned above – are one of its assets but need to be tailored to be compliant with privacy and legal issues.
Before considering the privacy, security and trust issues associated with cloud computing in more detail, we analyse in the next section what these terms mean and how they interrelate.
1.3 The Relationship between Privacy, Security and Trust
Privacy and trust are both complex notions for which there is no standard, universally accepted definition. Consequently, the relationship between privacy, security and trust is necessarily intricate. In this section, we ex-plain some of the main elements of this relationship.
1.3.1 Privacy
At the broadest level (and particularly from a European standpoint), pri-vacy is a fundamental human right, enshrined in the United Nations Uni-versal Declaration of Human Rights (1948) and subsequently in the Euro-pean Convention on Human Rights and national constitutions and charters of rights such as the UK Human Rights Act 1998. Since at least the 1970s the primary focus of privacy has been personal information, and particular-ly concerned with protecting individuals from government surveillance and databases, potential mandatory disclosure of privacy databases. A dec-ade later concerns were raised related to direct marketing and telemarket-ing and, later still, consideration was given to the increastelemarket-ing threat of on-line identity theft. There are various forms of privacy, ranging from ‘the right to be left alone’ [10], ‘control of information about ourselves’ [11], ‘the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personally identifiable in-formation.’ [12] and focus on the harms that arise from privacy violations [13]. Another influence is Nissenbaum’s idea of privacy as “contextual in-tegrity,” whereby the nature of challenges posed by information technolo-gies may be measured. Contextual integrity binds adequate protection for privacy to norms of specific contexts that are essentially constraints on
in-formation flows, so that inin-formation gathering and dissemination should be made appropriate to the particular context [14, 15].
In the commercial, consumer context, privacy entails the protection and appropriate use of the personal information of customers, and the meeting of expectations of customers about its use. For organisations, privacy en-tails the application of laws, policies, standards and processes by which personal information is managed. What is appropriate will depend on the applicable laws, individuals’ expectations about the collection, use and disclosure of their personal information and other contextual information, hence one way of thinking about privacy is just as ‘the appropriate use of personal information under the circumstances’ [16]. Data protection is the management of personal information, and is often used within the Euro-pean Union in relation to privacy-related laws and regulations (although in US the usage of this term is focussed more on security).
In broad terms, personal information describes facts, communications or opinions which relate to the individual and which it would be reasonable to expect him or her to regard as intimate or sensitive and therefore about which he or she might want to restrict collection, use or sharing. The terms ‘personal information’ and ‘personal data’ are commonly used within Eu-rope and Asia, whereas in US the term ‘Personally Identifiable Informa-tion’ (PII) is normally used, but they are generally used to refer to the same (or a very similar) concept. This can be defined as information that can be traced to a particular individual, and include such things as: name, address, phone number, social security or national identity number, credit card number, email address, passwords, date of birth. There are a number of types of information that could be personal data but are not necessarily in all circumstances, such as: usage data collected from computer devices such as printers; location data; behavioural information such as viewing habits for digital content; users' recently visited websites or product usage history; online identifiers such as IP addresses, Radio Frequency Identity (RFID) tags, cookie identifiers and unique hardware identities.
The current European Union (EU) Definition of personal data is that ‘personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifable person is one who can be identified, directly or
indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.’ [17]
Some personal data elements are considered more sensitive than others, al-though the definition of what is considered sensitive personal information may vary depending upon jurisdiction and even on particular regulations. In Europe, sensitive personal information is called special categories of data, which refers to information on religion or race, political opinions, health, sexual orientation, trade-union membership and data relating to of-fences or criminal convictions, and its handling is specially regulated. In the US, social security and driver licence numbers, personal financial in-formation and medical records are commonly treated as sensitive. Health information is considered sensitive in all jurisdictions. Other information that may be considered sensitive includes job performance information, biometric information and collections of surveillance camera images in public places. In general, sensitive information requires additional privacy and security limitations or safeguards because it can be considered as a sub-set of personal information with an especially sensitive nature.
Key privacy terminology includes the notion of data controller, data pro-cessor and data subject. Their meaning is as follows:
Data controller: An entity (whether a natural or legal person, public au-thority, agency or other body) which alone, jointly or in common with oth-ers determines the purposes for which and the manner in which any item of personal information is processed
Data processor: An entity (whether a natural or legal person, public au-thority, agency or any other body) which processes personal information on behalf and upon instructions of the Data Controller
Data subject: An identified or identifiable individual to whom personal information relates, whether such identification is direct or indirect (for ex-ample, by reference to an identification number or to one or more factors specific to physical, physiological, mental, economic, cultural or social identity)
The fair information practices developed in US in 1970s [18] and later adopted and declared as principles by the Organisation for Economic Co-operation and Development (OECD) and the Council of Europe [19] form
the basis for most data protection and privacy laws around the world. These principles can be broadly described as follows:
1. Data collection limitation: data should be collected legally with the consent of the data subject where appropriate and should be limited to the data that is needed.
2. Data quality: data should be relevant and kept accurate.
3. Purpose specification: the purpose should be stated at the time of data collection.
4. Use limitation: personal data should not be used for other purposes unless with the consent of the individual.
5. Security: personal data should be protected by a reasonable degree of security.
6. Openness: individuals should be able to find out what personal data is held and how it is used by an organization.
7. Individual participation: an individual should be able to obtain de-tails of all information about them held by a data controller and challenge it if incorrect.
8. Accountability: the data controller should be accountable for com-plying with these principles.
This framework can enable the sharing of personal information across par-ticipating jurisdictions without the need for individual contracts. Further-more, the legislation supports the observation and enforcement of the pro-tection of personal information as a fundamental right.
In Europe, the European Data Protection Directive 95/46/EC (and its sup-porting country legislation) implements these Fair Information Principles, along with some additional requirements including transborder data flow restrictions. Legislation similar to the European Data Protection Directive has been, and continues to be, enacted in many other countries, including Australia, New Zealand, Hong Kong, Japan and APEC. Notably, legisla-tion in Canada, Argentina, Israel, Switzerland, Guernsey, Iceland, Lich-tenstein, Norway, Jersey and the Isle of Man is considered strong enough to be ‘adequate’ by EC. (Adequacy defines how a specific country is
con-sidered to have an adequate or inadequate level of protection for processing personal data of subjects from within the European Union countries.) In contrast, the US does not have a comprehensive regime of data protection but instead has a variety of laws —such as the Health In-surance Portability and Accountability Act (HIPAA) — which are targeted at the protection of particularly sensitive types of information. This US ap-proach to privacy legislation is historically sector-based or enacted at the state level (for example, the State of Massachusetts has set out appropriate security standards for protecting the personal information of residents of that state) and places few if any restrictions on transborder data flow. The US is considered adequate for data transfer only under the limitation of the Safe Harbor agreement [20].
At the time of writing, regulations, enforcement activities and sanctions are currently increasing the world over. The US is introducing a Consumer Privacy Bill of Rights [21] and the EU is revising their Data Protection Di-rective and regulation [22], with the result that FTC enforcement will be strengthened within US and current plans are that European DPAs will be able to impose fines of up to 2% of worldwide annual turnover to compa-nies that do not have mechanisms in place to underpin regulatory data pro-tection compliance [22]. Other consequences of privacy failure for data controllers include civil liability (whereby data subjects enforce their rights), criminal liability (fines and imprisonment), investment risk, busi-ness continuity impact and reputational damage.
To summarise, privacy is regarded as a human right in Europe, whereas in America it has been traditionally viewed more in terms of avoiding harm to people in specific contexts. It is a complex but important notion and cor-respondingly the collection and processing of personal information is sub-ject to regulation in many countries across the world. Hence cloud busi-ness scenarios need to take this into account.
1.3.2 Security
For the purposes of this book, by security we mean information security. In this sense, security may be defined as:
“Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.” [23]
Confidentiality is commonly but erroneously equated with privacy by some security practitioners and is:
“The property that information is not made available or disclosed to unauthorized individuals, entities or processes” [23]
Note that security is actually one of the core privacy principles, as consi-dered in the previous subsection. Correspondingly, it is a common re-quirement under the law that if a company outsources the handling of per-sonal information or confidential data to another company, it has some responsibility to make sure the outsourcer uses “reasonable security” to protect those data. This means that any organization creating, maintaining, using or disseminating records of PII must ensure that the records haven't been tampered with, and must take precautions to prevent misuse of the formation. Specifically, to ensure the security of the processing of such in-formation, data controllers must implement appropriate technical and or-ganizational measures to protect it against:
• Unauthorised access or disclosure: in particular where the processing involves the transmission of data over a network
• Destruction: accidental or unlawful destruction or loss • Modification: inappropriate alteration
• Unauthorised use: all other unlawful forms of processing
Mechanisms to do this include risk assessment, implementing an informa-tion security program and putting in place effective, reasonable and ade-quate safeguards that cover physical, administrative and technical aspects of security. In the case of cloud computing, the CSP needs to implement “reasonable security” when handling personal information.
Privacy differs from security, in that it relates to handling mechanisms for personal information, dealing with individual rights and aspects like fair-ness of use, notice, choice, access, accountability and security. Many pri-vacy laws also restrict the transborder data flow of personal information.
Security mechanisms, on the other hand, focus on provision of protection mechanisms that include authentication, access controls, availability, con-fidentiality, integrity, retention, storage, backup, incident response and re-covery. Privacy relates to personal information only, whereas security and confidentiality can relate to all information.
1.3.3 Trust
Here we give a brief analysis of on-line trust. Further consideration of key aspects related to trust in the cloud and an assessment of consumer and corporate IT concerns about the cloud is given in section 1.6.
Trust is a complex concept for which there is no universally accepted scholarly definition. Evidence from a contemporary, cross-disciplinary col-lection of scholarly writing suggests that a widely held definition of trust is as follows:
“Trust is a psychological state comprising the intention to accept vulnerability based upon positive expectations of the intentions or behaviour of another” [24]
Yet this definition does not fully capture the dynamic and varied subtleties involved. For example: letting the trustees take care of something the trus-tor cares about [25]; the subjective probability with which the trustrus-tor as-sesses that the trustee will perform a particular action [26]; the expectation that the trustee will not engage in opportunistic behavior [27]; a belief, atti-tude, or expectation concerning the likelihood that the actions or outcomes of the trustee will be acceptable or will serve the trustor’s interests [28]. Trust is a broader notion than security as it includes subjective criteria and experience. Correspondingly, there exist both hard (security-oriented) and soft trust (i. e. non-security oriented trust) solutions[29]. “Hard” trust in-volves aspects like authenticity, encryption, and security in transactions, whereas “soft” trust involves human psychology, brand loyalty, and user-friendliness [30]. Some soft issues are involved in security, nevertheless. An example of soft trust is reputation, which is a component of online trust that is perhaps a company’s most valuable asset [31] (although of course a CSP’s reputation may not be justified). Brand image is associated with trust and suffers if there is a breach of trust or privacy.
People often find it harder to trust on-line services than off-line services [32], often because in the digital world there is an absence of physical cues and there may not be established centralized authorities [33]. The distrust of on-line services can even negatively affect the level of trust accorded to organizations that may have been long respected as trustworthy [34]. There are many different ways in which on-line trust can be established: security may be one of these (although security, on its own, does not nec-essarily imply trust [31]). Some would argue that security is not even a component of trust: Nissenbaum argues that the level of security does not affect trust [35]. On the other hand, an example of increasing security to increase trust comes from people being more willing to engage in e-commerce if they are assured that their credit card numbers and personal data are cryptographically protected [36].
There can be differing phases in a relationship such as building trust, a sta-ble trust relationship and declining trust. Trust can be lost quickly: as Niel-sen states [37]: “It [trust] is hard to build and easy to lose: a single viola-tion of trust can destroy years of slowly accumulated credibility”. Various approaches have targeted the measurement of factors that influence trust and the analysis of related causal relationships [38]. Many trust metrics have traditionally relied on a graph and have dealt with trust propagation [39, 40]; other techniques used to measure trust include Fuzzy Cognitive Maps [41].
When assessing trust in relation to cloud computing, it may be useful to distinguish between social and technological means of providing persistent and dynamic trust, as all of these aspects of trust can be necessary [42]. Persistent trust is trust in long-term underlying properties or infrastructure; this arises through relatively static social and technological mechanisms. Dynamic trust is trust specific to certain states, contexts, or short-term or variable information; this can arise through context-based social and tech-nological mechanisms.
Persistent social-based trust in a hardware or software component or sys-tem is an expression of confidence in technological-based trust, because it is assurance about implementation and operation of that component or sys-tem. In particular, there are links between social-based trust and
technolo-gical-based trust through the vouching mechanism, because it is important to know who is vouching for something as well as what they are vouching; hence social-based trust should always be considered.
As considered further within section 1.6, there is a complex relationship between security and trust, but in CSP models, security can be a key ele-ment in perceived lack of consumer trust.
1.4 Privacy Issues for Cloud Computing
Current cloud services pose an inherent challenge to data privacy, because they typically result in data being present in unencrypted form on a ma-chine owned and operated by a different organization from the data owner. The major privacy issues relate to trust (for example, whether there is un-authorized secondary usage of PII), uncertainty (ensuring that data has been properly destroyed, who controls retention of data, how to know that privacy breaches have occurred and how to determine fault in such cases) and compliance (in environments with data proliferation and global, dy-namic flows, and addressing the difficulty in complying with transborder data flow requirements). When considering privacy risks in the cloud, as considered already within the introduction, context is very important as privacy threats differ according to the type of cloud scenario. For example, there are special laws concerning treatment of sensitive data, and data lea-kage and loss of privacy are of particular concern to users when sensitive data is processed in the cloud. Currently this is so much of an issue that the public cloud model would not normally be adopted for this type of infor-mation. More generally, public cloud is the most dominant architecture when cost reduction is concerned, but relying on a cloud service provider (CSP) to manage and hold one’s data in such an environment raises a great many privacy concerns.
In the remainder of this section we consider a number of aspects that illu-strate best these privacy issues: lack of user control, potential unauthorized secondary usage, regulatory complexity (especially due to the global na-ture of cloud, complex service ecosystems, data proliferation and dynamic provisioning and related difficulties meeting transborder data flow restric-tions), litigation and legal uncertainty.
1.4.1 Lack of User Control
User-centric control seems incompatible with the cloud: as soon as a SaaS environment is used, the service provider becomes responsible for storage of data, in a way in which visibility and control is limited. So how can a consumer retain control over their data when it is stored and processed in the cloud? This can be a legal requirement and also something us-ers/consumers want – it may even be necessary in some cases to provide adequate trust for consumers to switch to cloud services.
Key aspects of this lack of user control include:
1. Ownership of and control over the infrastructure: In cloud compu-ting, consumers’ data is processed in ‘the cloud’ on machines they do not own or control, and there is a threat of theft, misuse (espe-cially for different purposes from those originally notified to and agreed with the consumer) or unauthorized resale. See further dis-cussion in section 1.4.2.
2. Access and transparency: it is not clear that it will be possible for a CSP to ensure that a data subject can get access to all his/her PII. There can be lack of transparency about where data is, who owns it and what is being done with it. Furthermore, it is difficult to control (and even know) the exposure of the data transferred to the cloud, because information passing through some countries (including US, as permitted by the US Patriot Act) can be accessed by law en-forcement agencies.
3. Control over data lifecycle: a CSP may not comply with a request for deletion of data. Further detail is given in Subsection 1.5.4. Si-milarly, it is not necessarily clear who controls retention of data (or indeed what the regulatory requirements are in that respect as there can be a range of different data retention requirements, some of which may even be in conflict).
4. Changing provider: It can also be difficult to get data back from the cloud, and avoid vendor lock-in, as considered further in Subsec-tion 1.5.3.
5. Notification and redress: Uncertainties about notification, including of privacy breaches, and ability to obtain redress. It can be difficult to know that privacy breaches have occurred and to determine who is at fault in such cases.
6. Transfer of data rights: It is unclear what rights in the data will be acquired by data processors and their sub-contractors, and whether these are transferable to other third parties upon bankruptcy, takeo-ver, or merger [43].
1.4.2 Lack of Training and Expertise
Deploying and running cloud services may require many jobs requiring high skills, but lack of STEM (Science, Technology, Engineering, and Ma-thematics) graduates in Europe and other parts of the world could make it difficult to recruit suitably qualified people. In particular, lack of trained personnel can be an issue from a security point of view.
In addition, people may lack understanding about the privacy impact of decisions they make. Technology in general exacerbates this problem as more employees are able to trigger privacy consequences and these can be further-reaching: instead of protecting data on a server to which very few people have access, employees can now leave sensitive information unen-crypted on a laptop, or expose confidential information at a flick of a switch. In the case of cloud, it is relatively quick and easy to go to a portal to request a service that is instantly provided, and it only takes a credit card if public cloud services are used like those from Salesforce and Google. Hence, unless proper management procedures are in place, there is a dan-ger that employees could switch to using cloud computing services without adequately considering the consequences and risks for that particular situa-tion.
1.4.3 Unauthorised Secondary Usage
There is a risk (and perhaps even an expectation!) that data stored or processed in the cloud may be put to unauthorized uses. It is part of the standard business model of cloud computing that the service provider may gain revenue from authorized secondary uses of users’ data, most com-monly the targeting of advertisements. However, some secondary data uses would be very unwelcome to the data owner (such as, for example, the re-sale of detailed re-sales data to their competitors). Therefore, it will be neces-sary for consumers and CSPs to make legally binding agreements as to
how data provided to CSPs may be used. At present there are no technolo-gical barriers to such secondary uses, although as we consider further in various chapters in this book, it is likely that in future such agreements might be enforceable in a technological sense. This will help enhance trust and mitigate the effects of the blurring of security boundaries considered above.
1.4.4 Complexity of Regulatory Compliance
Due to the global nature of cloud computing and the many legislations in place around the world, it can be complex and difficult to ensure com-pliance with all the legislation that may apply in a given case.
Putting data in the cloud may impact privacy rights, obligations and status: for example it may make it impossible to comply with some laws such as the Canadian Privacy Act or health laws. Legal protection can be reduced, and trade secrets may be impacted.
Location matters from a legal point of view as different laws may apply depending on where information exists, but in cloud computing the infor-mation might sometimes be in multiple places simultaneously, it may be difficult to know exactly where it is or it may be in transit. A complicating factor is that there are multiple copies of data located in the cloud. Fur-thermore, these copies can be managed by different entities: a back-up SP, a provider used to respond to peak capacity needs, specialised services, etc.
Correspondingly, central properties of cloud that can make regulatory compliance difficult are data proliferation and dynamic provisioning. We consider these in turn. In addition, it can also be possible to violate local laws when transferring data stored in the cloud: cloud computing exacer-bates the transborder data flow issue because it can be extremely difficult to ascertain which specific server or storage device will be used, due to the dynamic nature of cloud computing. These transborder data flow restric-tions are a special case that we consider subsequently.
Data Proliferation
Data proliferation is a feature of cloud and this happens in a way that may involve multiple parties and is not controlled by the data owners. CSPs en-sure availability by replicating data in multiple datacenters. It is difficult to guarantee that a copy of the data or its backups are not stored or processed in a certain jurisdiction, or that all these copies of data are deleted if such a request is made. This issue is considered further in subsection 1.5.4. Movement of data onto the cloud and potentially across and between legal jurisdictions, including offshoring of data processing, increases risk factors and legal complexity [44,45]. Governance and accountability measures al-so become more complex as processes are outal-sourced and data crosses or-ganisational boundaries [46]. The risks that can arise from choosing the wrong business partner can be daunting and very difficult to assess, espe-cially in cloud based environments, where even knowing the jurisdictions involved can be quite difficult [47]. Issues of jurisdiction (i.e. about whose courts would hear a case), which law applies and about whether a legal remedy can be effectively enforced need to be considered [48]. A cloud computing service which combines outsourcing and offshoring may raise very complex issues [49]. Hence, it can be difficult to ascertain privacy compliance requirements in the cloud.
Dynamic Provisioning
Cloud computing faces many of the same problems as traditional outsourc-ing, yet the dynamic nature of cloud makes many existing provisions to address this in more static environments obsolete or impractical to set up in such a short timescale. Model contracts are one example of this that is considered further in the following section. It is not clear which party is re-sponsible (statutorily or contractually) for ensuring legal requirements for personal information are observed, or appropriate data handling standards are set and followed [50], or whether they can effectively audit third-party compliance with such laws and standards. Neither is it yet clear to what extent cloud sub-contractors involved in processing can be properly identi-fied, checked and ascertained as being trustworthy, particularly in a dy-namic environment.
1.4.5 Addressing Transborder Data Flow Restrictions
Privacy and data protection regulations restrict transfer of personal infor-mation across national borders, which includes restricting both the physi-cal transfer of data and remote access to the data. Transfers from all coun-tries with national legislation are restricted, so this includes EU and European Economic Area (EEA) countries, Argentina, Australia, Canada, Hong Kong and New Zealand. From EU/EEA countries, personal informa-tion can be transferred to countries that have “adequate protecinforma-tion”, name-ly all other EU/EEA member states and also Switzerland, Canada, Argen-tina and Israel (since all have regulations deemed adequate by the EU). Note that no other countries have privacy regulations that are deemed ade-quate, so if information is to be sent to these countries then other ap-proaches need to be used.
One such mechanism is that information can be transferred from an EU country to the US if the receiving entity has joined the US Safe Harbor agreement [20].
Secondly, personal information can also be transferred from any EU/EEA country to any non-EU/EEA country, other than Canada and Argentina, if model contracts have been signed and in many instances approved by the country regulator, or Binding Corporate Rules (BCRs) have been ap-proved, or the individual has “freely given” consent. Model contracts are contractual agreements that contain data protection commitments, compa-ny liability requirements and liabilities to the individuals concerned. Transfers from other countries with national privacy legislation (e.g. Can-ada, Argentina) also require contractual agreement. BCRs are binding in-ternal agreements/contracts that obligate all legal entities within a corpo-rate group that will have access to EU personal information to adhere to all obligations of the EU Data Protection Directive.
The problem is that these techniques (and especially model contracts as currently used) are not well suited to cloud environments. The first reason is due to regulatory complexity and uncertainty in cloud environments, es-pecially due to divergences between the individual European Member States national laws implementing the European Data Protection Directive, 1995. The second reason is that these techniques are not flexible enough
for cloud, because administering and obtaining regulatory approval for model contracts can result in lengthy delays: the notification and prior ap-proval requirements for EU Model Contracts vary significantly across the EU but are burdensome and can take from one to six months) to set up. BCRs are suitable for dynamic environments but their scope is limited: they only apply to data movement within a company group, it may be dif-ficult for SMEs to invest in setting these up and there are only a few BCRs to date, although it is a relatively new technique.
It is not just transborder data flow requirements that restrict the flow of in-formation across borders: there may also be trade sanctions and other ex-port restrictions, for example restriction of cryptography and confidential data from US.
Not knowing which routes transnational traffic will take makes it very dif-ficult to understand the particular laws which will apply. However, one in-terpretation of Section 4 of the Directive 95/46/EC is that transit of data through the territories is not relevant from the legal point of view: for ex-ample, if data are transferred from France to the US, whether the data flows through network links that run via UK and Canada seems to be irre-levant from the legal point of view [7: P103].
Even if transit of data is not relevant to consider, it is still difficult to en-force transborder data flow regulations within the cloud. Cloud computing can exacerbate the problem of knowledge of geographic location of where cloud computing activities are occurring, as due to its dynamic nature this can be extremely difficult to find out.
1.4.6 Litigation
Another aspect is litigation: a CSP may be forced to hand over data stored in the cloud, as illustrated by the US vs. Weaver case [51], where Micro-soft was requested via a trial subpoena rather than a warrant to provide e-mails handled by their Hotmail service. A government only needs to show the requested material is relevant to the case for a subpoena, whereas for a warrant, probable cause must be demonstrated. In order to avoid a similar situation occurring with non-governmental entities, subscribers to cloud
services could include contractual provisions in the service agreement that govern the CSP’s response to any subpoena requests from such entities.
1.4.7 Legal Uncertainty
Legal frameworks have been instrumental and key to the protection of us-ers’ personal and sensitive information. As considered briefly in Section 1.3.1, in Europe there is national legislation based upon EU Directive, in US there is a patchwork of legislation according to sector, information and/or geographical area, and in many other countries worldwide analog-ous frameworks apply. The fundamental concepts of such frameworks are in the main technology neutral, and their validity would still apply to cloud computing. Nevertheless, such frameworks – along with the associated tools, advice and national legislation – need to be constantly updated and adjusted with current and future technologies in mind. There is currently a dialogue between organizations, regulators and stakeholders to ensure that the regulatory framework does adapt to new frameworks and business models without eroding consumers’ trust in the systems that are deployed. In particular, the dynamically changing nature of cloud computing, poten-tially combined with cross-jurisdictional interactions, introduces legal as-pects that need to be carefully considered when processing data.
There are existing legal constraints on the treatment of users’ private data by cloud computing providers. Privacy laws vary according to jurisdiction, but EU countries generally only allow PII to be processed if the data sub-ject is aware of the processing and its purpose, and place special restric-tions on the processing of sensitive data (for example, health or financial data), the explicit consent of the data owner being part of a sufficient justi-fication for such processing [52]. They generally adhere to the concept of data minimization, that is, they require that personally identifiable infor-mation is not collected or processed unless that inforinfor-mation is necessary to meet the stated purposes. In Europe, data subjects can refuse to allow their personally identifiable data to be used for marketing purposes [17]. More-over, there may be requirements on the security and geographical location of the machines on which personally identifiable data is stored [52]. Euro-pean law limiting cross-border data transfers also might prohibit the use of cloud computing services to process this data if data would be stored in
countries with weak privacy protection laws, and notification may be re-quired [53].
Since cloud technology has moved ahead of the law, there is much legal uncertainty about privacy rights in the cloud and it is hard to predict what will happen when existing laws are applied in cloud environments.
Areas of uncertainty still under current discussion include that the proce-dure of anonymizing or encrypting personal data may be regarded as regu-lated "processing", requiring consent and it is not clear whether that processing for the purpose of enhancing users’ privacy is exempt from pri-vacy protection requirements. Specifically, it can be unclear in practice whether or not data that will be processed is personal data or not, hence whether or not there are legal responsibilities associated with its processing. Anonymisation and pseudonymisation processes such as key-coding/obfuscation, fragmenting, deleting “identifying information” such as addresses etc, and even encryption, may in some circumstances result in personal data but in others not result in personal data under the current de-finition, and indeed it may not be obvious whether or not the anony-mised/pseudonymised data is personal data or not. It follows that it may not be clear for example whether or not certain data can be sent outside the EU, or other actions can be performed that are restricted by EU [54]. In general, the legal situation is subject to change: legislation has not yet been updated to address the challenges above and courts have not yet ruled many cases specifically related to cloud computing.
1.4.8 Privacy Conclusions
In summary, we are seeing the biggest change in privacy since the 1980s and there is uncertainty in all regions. Cloud (and its inherent pressure to-wards globalization) is helping strain traditional frameworks for privacy. Policy makers are pushing for major change – fast-tracking concepts of fairness, placing more emphasis upon accountability (see subsection 1.7.1) and driving increased protection. This includes the draft US Privacy Bill of Rights and the EU Data Protection framework currently under considera-tion [17, 21].
Cloud computing offers significant challenges for organisations that need to meet various global privacy regulations, including the complexity of ex-isting global legislation necessitating legal advice. Cloud faces the same privacy issues as other service delivery models, but it can also magnify ex-isting issues, especially transborder data flow restrictions, liability and the difficulty in knowing the geographic location of processing and which specific servers or storage devices will be used. In addition, care must be taken to delete data and virtual storage devices, especially with regards to device reuse; this is considered further in the following section, and is both a privacy and a security issue. More broadly, security is an aspect of pri-vacy that is considered further in the next section – hence many of the is-sues raised in that section, including the difficulties in enforcing data pro-tection within cloud ecosystems, may be seen to also be privacy issues.
1.5 Security Issues for Cloud Computing
As we have seen in Subsection 1.3.3, security often tops the list of cloud user concerns. Cloud computing presents different risks to organizations than traditional IT solutions. There are a number of security issues for cloud computing, some of which are new, some of which are exacerbated by cloud models, and others that are the same as in traditional service pro-vision models. The security risks depend greatly upon the cloud service and deployment model. For example, private clouds can to a certain extent guarantee security levels, but the economic costs associated with this ap-proach are relatively high.
At the network, host and application levels, security challenges associated with cloud computing are generally exacerbated by cloud computing but not specifically caused by it. The main issues relate to defining which par-ties are responsible for which aspects of security. This division of respon-sibility is hampered by the fact that cloud APIs are not yet standardized. Customer data security raises a number of concerns, including the risk of loss, unauthorized collection and usage, and generally the CSP not ade-quately protecting data.
There are a number of different ways of categorizing security risks; more-over, these fit into a broader model of cloud-related risks. For example,
ac-cording to the Cloud Security Alliance [4], the top threats to cloud compu-ting are: abuse and nefarious use of cloud compucompu-ting, insecure interfaces and APIs, malicious insiders, shared technology issues, data loss or lea-kage, account or service hijacking and unknown risk profile. They were unable to reach a consensus on ranking the degree of severity of these risks.
Abuse and nefarious use could cover a wide variety of threats, largely con-sidered within section 1.5.2 below (unwanted access), but could also in-clude the type of threats considered in 1.4.2 above (unauthorized second-ary usage) or abuse of cloud resources, for example trying to use as much resource as possible (which could be quite high with a cloud model) with-out paying or in order to limit access for others. Insecure cloud interfaces and cloud APIs are considered within 1.5.5 below. Shared technology is-sues are considered within 1.5.4 (inadequate data deletion) and 1.5.7 (iso-lation failure). Malicious insiders could be considered with respect to a number of scenarios, but especially those considered in 1.5.2. Some as-pects of data exposure have been covered in the previous section (covering privacy issues); others are considered in 1.5.6 (backup issues) and 1.5.2 (unwanted access). In this section we also consider the relative lack of in-teroperability, assurance, transparency and monitoring in the cloud. We al-so consider how a gap in security can arise in cloud environments. For fur-ther details about cloud security issues see for example [55, 56, 57].
1.5.1 Gap in Security
In general, security controls for the cloud are the same as those used in other IT environments. But as the customer cedes control to the cloud pro-vider, there is a related risk that the CSP will not adequately address the security that they should be handling, or even that SLAs do not include any provision of the necessary security services.
This risk is dependent upon the deployment model used. The lower down the stack the cloud provider, the more security the consumer is responsible for: thus, the consumer of IaaS needs to build in security as they are pri-marily responsible for it, whereas in SaaS environments security controls and their scope (as well as privacy and compliance) are negotiated into the
contracts for service. The customer may need to understand how the cloud provider handles issues such as patch management and configuration man-agement as they upgrade to new tools and new operating systems, as well as the IT security hardware and software that the cloud provider is using and how the environment is being protected. In the case of IaaS and PaaS, cloud providers need to clarify the kind of IT security the customer is ex-pected to put in place. With SaaS, the customer still needs to provide access security through its own systems, which could either be an identity management system or a local access control application.
Furthermore, it may be difficult to enforce protection throughout the cloud ecosystem. As discussed in section 1.3, the CSP needs to implement “rea-sonable security” when handling personal information. Different compa-nies may be involved in the cloud supply chain, and this can make it diffi-cult to ensure that such security is provided all the way along the chain. At present, clients often only know the initial CSP and the standard terms and conditions of cloud computing service providers do not include any claus-es ensuring the level of security provided: they provide no guarantee as to the security of data, and even deny liability for deletion, alteration or loss related to data that is stored. As current terms of service are very much set in favour of the CSP [50], if anything goes wrong it is often the customer that will be made liable.
1.5.2 Unwanted Access
There needs to be an appropriate level of access control within the cloud environment to protect the security of resources. Cloud computing may ac-tually increase the risk of access to confidential information.
First, this may be by foreign governments: there can be increased risks due to government surveillance over data stored in the cloud, as the data may be stored in countries where previously it was not. Governments in the countries where the data is processed or stored may even have legal rights to view the data under some circumstances [58, 6], and consumers may not be notified if this happens. One example of this is US Patriot Act, as pre-viously mentioned, that is an important concern for many customers consi-dering switching to CSP models.
Second, as with other computing models, there is an underlying risk of un-authorised access that may be exacerbated if entities are involved in the provider chain that have inadequate security mechanisms in place (e.g. if they have inadequate vetting of internal IT staff who have highly privi-leged access). The risk of data theft from machines in the cloud can be by rogue employees of CSPs, by data thieves breaking into service providers’ machines, or even by other customers of the same service if there is inade-quate separation of different customers’ data in a machine that they share in the cloud. Attackers may also break into the networks of the CSP, sub-contractors or co-hosted customers. Attackers may also use de-anonymisation techniques (see [59]). The damage that can be caused in these cases can be greater than non-cloud environments, due to the scale of operation and the presence of certain roles in cloud architectures with po-tentially extensive access including CSP system administrators and ma-naged security service providers.
In general, cloud storage can be more at risk from malicious behaviour than processing in the cloud, because data may remain in the cloud for long periods of time and so the exposure time is much greater. On the oth-er hand, thoth-ere is more potential for usage of encryption in cloud storage, as considered further in section 1.7.3.
1.5.3 Vendor Lock-In
Cloud computing, as of today, lacks interoperability standards. Competing architectural standards are being developed, including Open Virtualization Format [60], Open Cloud Computing Interface [61], Data Liberation Front [62], SNIA Cloud Data Management Interface (CDMI) [63] and SAML [64] with big cloud vendors pushing their own mutually incompatible de facto standards. Limitations include: differences between common hyper-visors; gaps in standard APIs for management functions; lack of com-monly agreed data formats; issues with machine-to-machine interoperabil-ity of web services. The lack of standards makes it difficult to establish security frameworks for heterogeneous environments and forces people for the moment to rely on common security best practice. As there is no dardised communication between and within cloud providers and no
stan-dardized data export format, it is difficult to migrate from one cloud pro-vider to another or bring back data and process it in-house.
1.5.4 Inadequate Data Deletion
Another major issue for cloud is to ensure that the customer has control over the lifecycle of their data, and in particular deletion, in the sense of how to be sure that data that should be deleted really are deleted and are not recoverable by a CSP There are currently no ways to prove this as it re-lies on trust, and the problem is exacerbated in cloud because there can be many copies of the data (potentially held by different entities and some of which may not be available) or because it might not be possible to destroy a disk since it is storing other customers’ data.
The risks of data exposure vary according to the service model. Using IaaS or PaaS, one or more VMs are created in order for a program to be run within those – when the task is finished, the VMs and the temporary disk space are released. In fact, IaaS providers can provide storage and VM services which are complementary but allow for persistency of data be-tween usage of multiple VMs. An allocated VM could be started to carry out a task and stopped once the task is completed; this is logically separate from managing the lifecycle of a VM (as the VM can be deleted when the data are no longer needed). Using a SaaS approach, on the other hand, the customer is one of the users of a multi-tenant application developed by the cloud service provider, and the customers’ data is stored in the cloud, to be accessible the next time the customer logs in. The data would only be de-leted at the end of the lifecycle of the data, if the customer wishes to change service provider, etc. There is a correspondingly higher risk to the customer if hardware resources are reused than if dedicated hardware is used.
1.5.5 Compromise of the Management Interface
In public cloud service provision, the management interfaces are available via the Internet. This poses an increased risk compared to traditional host-ing providers because remote access and web browser vulnerabilities can be introduced and in addition access can be given via these interfaces to
larger sets of resources. This increased risk is present even if access is con-trolled by a password.
1.5.6 Backup Vulnerabilities
Cloud service providers make multiple copies of data and place them in different locations to provide a high level of reliability and performance. This serves as a form of backup, although it can lead to additional liabili-ties and threats from attackers. There is still the potential for the data to be lost, particularly with Storage as a Service. A popular solution is a type of hybrid storage cloud, where an appliance is placed at the customer's site, and backup data is stored there with a replicated copy sent to a cloud stor-age service provider. Indeed, one of the top threats identified by CSA [4] is ‘data loss or leakage’, where records may be deleted or altered without a backup of the original content. A record might be unlinked from a larger context, making it unrecoverable, data could be stored on unreliable media and if there is a key management failure then data could be effectively de-stroyed. There have already been cases where backup was provided as an optional extra for a storage service, and a failure in that service resulted in the complete loss of the data of users that had not paid that premium. However, in general, cloud services can be more resilient than traditional services.
1.5.7 Isolation Failure
Multi-tenancy raises a security concern that one consumer may influence the operations or access data of other tenants running on the same cloud [65]. Multi-tenancy is an architectural feature whereby a single instance of software runs on a SaaS vendor’s servers, serving multiple client organiza-tions. The software is designed to virtually partition its data and configura-tion so that each client organizaconfigura-tion works with a customized virtual appli-cation instance. In such a SaaS model, the customers are users of multi-tenant applications developed by CSPs, it is likely that personal data and even financial data are stored by CSP in the cloud, and it is the responsibil-ity of the CSP to secure the data. There is a risk that the mechanisms that
separate storage, memory or routing between different tenants might fail, and hence for example other tenants could access sensitive information. Some providers use job scheduling and resources management [66], but most cloud providers use virtualization to maximize hardware utilisation. Virtual machines (VMs) are sandboxed environments and therefore com-pletely isolated from each other. This assumption makes it safe for users to share the same hardware. However, this security can sometime break down, allowing attackers to escape the boundaries of this sandboxed envi-ronment and have full access to the host [67]. The use of virtualisation can introduce new security vulnerabilities, such as cross-VM side-channel at-tacks, where the attacker breaches the isolation between VMs allowing ex-traction of data via information leakage due to the sharing of physical re-sources [68], virtual network attacks, inadequate data deletion before memory is assigned to a different customer (cf. section 1.5.4) or “escape” to the hypervisor, where an attacker uses a guest virtual machine to attack vulnerabilities in the hypervisor software [69].
1.5.8 Missing Assurance and Transparency
One approach to privacy and security is to leave protection to the service provider. We have discussed above in Section 1.2 how expectations in this regard typically vary according to the service model. The cloud customer can in many case transfer risk to the cloud provider (for example, via SLAs). However, not all risks can be transferred, and ultimately the cloud customer may be legally accountable (for example, in its role as the data controller). Moreover, the consequences of failure may include reputa-tional damage, legal liability or even business failure, and this is unlikely to be fully compensated for.
So, cloud customers need to obtain assurance from cloud service providers that their data will be protected properly. They may also require that they are notified about security and privacy incidents. Some cloud providers provide information about their data handling practices, security mecha-nisms and offer related assurance e.g. SAS-70 type II certification. This type of approach is taken for accounting data, in any case. ENISA has
